You are viewing a single comment's thread from:

RE: The Cryptocurrency Bank Spreadsheet

in #crypto8 years ago

Hmm I've always assumed that password managers can be exploited and end up being worse for me. So I never keep any passwords anywhere except on paper. The one time I actually saved a password was for Steemit last year and guess what, that was the first time someone gained keys to my account..

So I'm pretty paranoid about keeping stuff on the pc.

I'll look into 1Password!

Sort:  

I'd say on paper is much worse. If your computer is compromised, it doesn't matter where you store your passwords, a key logger will pick them up when you use them. Another benefit of a password manager is it avoids phishing attacks.

I wrote more about this here: https://steemit.com/steemit/@lukestokes/password-security-you-re-the-problem

Key security concepts to keep in mind:

  • Always be on the latest security updates for your operating system
  • Always run an up-to-date antivirus software. Don't just have it installed, but verify updates are happening regularly.
  • Always use a secure password manager. I like 1Password because it stores the encrypted password database on dropbox so backups happen automatically. If my computer ever crashes, I can restore 1Password's password file from dropbox.

Key loggers are the biggest risk on any platform. Despite the solid security model of Unix / Linux / Mac, if you manage to get infected with a key logger (typically you get infected through email or websites) NO schemes for password security will help, since the key logger will capture any passwords you use when you type them in.

I have been looking for reliable keylogger detector software for all 3 platforms I use (Windows, Mac & Linux) for the last 2 years and still have not found solutions for all 3 platforms yet.

I haven't looked at 1Password, I'm sure it's good if Luke endorses it, and there are many others to choose from. I myself use an encrypted USB stick. If my password to unlock the encryption of the USB key is captured by a keylogger, the attacker couldn't use that info if the usb key is not plugged in, and I don't leave it plugged in very long.

It's not a perfect system. If I fail to detect a keylogger, over time it would capture any passwords I used from the encrypted usb stick.

Response to Luke's comment below (6 level depth restriction):

Yes, I DO have 2 copies of the usb. A weakness of that is they are not always in sync with each other. Password managers like 1Password etc are very good, and I recommend you keep a backup in multiple locations. A cloud location is one solution, I prefer local myself, and although the chances of cracking a password vault left in a public location (dropbox, cloud storage etc) is extremely unlikely, I prefer to keep such sensitive data under my personal control / possession and thus eliminate any chances the vault can be accessed by anyone but me.

Many may not want to sacrifice the convenience of keeping such data available anywhere, I'm not one of them.

Interesting that you didn't say anything regarding keyloggers.

What happens if your USB stick fails? What if you lose it? Do you have multiple backups?

The reason I like 1Password is because the browser extensions also protect you from phishing attacks.

Interesting that you didn't say anything regarding keyloggers.

But I did:

a key logger will pick them up when you use them.